Original sotry:
http://news.softpedia.com/news/crooks-u ... 4300.shtml
Since May 21, 2016 I can't find any sample so I've retrives one on an infected Drupal (attached)
ELF compress with UPX.
https://www.virustotal.com/file/762a4f2 ... 471054395/
I do not have look deep yet but after a quick look it's seems this bot use RCP, have WP exploit + ssh scanner and has some DDoS features.
It seems that this payload is the missing piece in the jigsaw puzzle of "Armada Collective" fake DDoS Ransom :)
After Drupal infection, they upload some mailer and some webshell in sites/default/files/
Mailer ex:
http://news.softpedia.com/news/crooks-u ... 4300.shtml
Since May 21, 2016 I can't find any sample so I've retrives one on an infected Drupal (attached)
ELF compress with UPX.
https://www.virustotal.com/file/762a4f2 ... 471054395/
I do not have look deep yet but after a quick look it's seems this bot use RCP, have WP exploit + ssh scanner and has some DDoS features.
Code: Select all
a ransom note:
/home/user/src/rex/nmap/tcpsyn.go
/home/user/src/rex/nmap/quickack.go
/home/user/src/rex/nmap/connect.go
/home/user/src/rex/packet/ip.go
/home/user/src/rex/packet/dns.go
/home/user/src/rex/rpc/server.go
/home/user/src/rex/rpc/ipc.go
/home/user/src/rex/rpc/client.go
/home/user/src/rex/scanner/scanner.go
/home/user/src/rex/scanner/target.go
/home/user/src/rex/scanner/strategy.go
/home/user/src/rex/scanner/ssh.go
/home/user/src/rex/scanner/rpc.go
/home/user/src/rex/scanner/ransom.go
/home/user/src/rex/scanner/rand.go
/home/user/src/rex/scanner/php.go
/home/user/src/rex/scanner/kerner.go
/home/user/src/rex/scanner/jetspeed.go
/home/user/src/rex/scanner/http_scanner.go
/home/user/src/rex/scanner/http.go
/home/user/src/rex/scanner/wordpress.go
/home/user/src/rex/scanner/form.go
/home/user/src/rex/scanner/exagrid.go
/home/user/src/rex/scanner/drupal_hash.go
/home/user/src/rex/scanner/drupal.go
/home/user/src/rex/scanner/conn.go
/home/user/src/rex/scanner/cmd.go
/home/user/src/rex/node/rand.go
/home/user/src/rex/node/rpc.go
/home/user/src/rex/node/node.go
/home/user/src/rex/node/myip.go
/home/user/src/rex/node/metrics.go
/home/user/src/rex/node/ddos.go
/home/user/src/rex/node/blacklist_filter.go
/home/user/src/rex/dht/value.go
/home/user/src/rex/dht/store.go
/home/user/src/rex/dht/rpc.go
/home/user/src/rex/dht/node.go
/home/user/src/rex/dht/dht.go
/home/user/src/rex/dht/contact.go
/home/user/src/rex/log/log.go
/home/user/src/rex/sync.go
/home/user/src/rex/dialer_linux.go
/home/user/src/rex/dialer.go
/home/user/src/rex/elevate.go
/home/user/src/rex/binary.go
/home/user/src/rex/cmd/node/main.go
Code: Select all
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxvCbCNyK0QqSmJi9mblI
8PJB+oM8gFzhoP7ZEcwWB/EIH06EtRvv/v1JuCIWp+zITF2plviD33TcnXXQNmDJ
GRwXPoAla6rtkP3AorLgcOceK9kY4UtRlfVxH5F2HffyETS/7kvN7n+FOBAVu1qb
RGG5ejVkTqYrU30/ZWeTPXueduWoL8GbiIqK2fmB7/ug7N+mgp4xtbCK2SPknnH/
7BZQ0OfXuLi4AFeQ9L4YFcO7DMYbXb6SIuwgVqj9zzRMyvP0gWRpm4KCTFh0bJds
xb0gSCGtzzsIVTDM0viJ/iM/O6lUfh3wwQL7Qd+QcCdoCjgmk0T8DlteFdyy2qhw
6wIDAQAB
-----END PUBLIC KEY-----FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFFFORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!
We are Armada Collective.
All your servers will be DDoS-ed starting {{ .Time.Weekday.String }} ({{ .Time.Format "Jan 2 2006" }}) if you don't pay {{ .Amount }} Bitcoins @ {{ .Address }}
When we say all, we mean all - users will not be able to access sites host with you at all.
If you don't pay by {{ .Time.Weekday.String }}, attack will start, price to stop will increase by {{ .Step }} BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful - sometimes over 1 Tbps per second. So, no cheap protection will help.
Prevent it all with just {{ .Amount }} BTC @ {{ .Address }}
Do not reply, we will probably not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.
Code: Select all
"Armada Collective" email was quoted by cloudflare in this article https://blog.cloudflare.com/empty-ddos- ... ollective/ rex/rpc.NewClient
rex/rpc.(*Client).Call
rex/rpc.init.1
rex/rpc.(*ServeMux).Register
rex/rpc.(*ServeMux).HandleReadWriter
rex/rpc.(*ServeMux).HandleRequest
rex/rpc.Handler
rex/rpc.NewClient.func1
rex/rpc.(*Client).Call.func1
rex/rpc.init
rex/scanner.(*WoocommerceProductOptions).NewRequest
rex/scanner.(*WoocommerceProductOptions).Do
rex/scanner.(*WoocommerceProductOptions).Get
rex/scanner.(*WordpressRevslider).NewRequest
rex/scanner.(*WordpressRevslider).Do
rex/scanner.(*WordpressRevslider).Get
rex/scanner.(*RansomScanner).NewRequest
rex/scanner.RansomScanner.NewRequest
rex/scanner.(*RansomScanner).Do
rex/scanner.RansomScanner.Do
rex/scanner.(*RansomScanner).Get
rex/scanner.RansomScanner.Get
rex/scanner.(*Drupal).NewRequest
rex/scanner.(*Drupal).Do
rex/scanner.(*Drupal).Get
rex/node.(*NodeScanResult).Addr
rex/node.(*NodeScanResult).BaseURL
rex/node.(*NodeScanResult).HostPort
rex/node.(*NodeScanResult).String
rex/node.(*NodeScanResult).URL
rex/scanner.Run
rex/scanner.worker
rex/scanner.worker1
rex/scanner.NewConnScanner
rex/scanner.(*ConnScanner).NewServeMux
rex/scanner.(*ConnScanner).Payload
rex/scanner.(*ConnScanner).SetBinary
rex/scanner.(*ConnScanner).AddScanner
rex/scanner.(*ConnScanner).Dial
rex/scanner.(*ConnScanner).isPortOpen
rex/scanner.(*ConnScanner).Scan
rex/scanner.NewDrupalModule
rex/scanner.(*Drupal).CanExecute
rex/scanner.(*Drupal).HavocIsRunning
rex/scanner.(*Drupal).Validate
rex/scanner.(*Drupal).docImportsMiscDrupalJS
rex/scanner.(*Drupal).validateFrontpage
rex/scanner.(*Drupal).validateChangelog
rex/scanner.(*Drupal).GetForm
rex/scanner.(*Drupal).SubmitForm
rex/scanner.(*Drupal).loginPageTargets
rex/scanner.(*Drupal).lookupLoginPage
rex/scanner.(*Drupal).Login
rex/scanner.(*Drupal).SetUP
rex/scanner.(*Drupal).lookupUserEditPage
rex/scanner.(*Drupal).SetEmail
rex/scanner.(*Drupal).lookupAdminPeoplePage
rex/scanner.(*Drupal).DeleteOtherPeople
rex/scanner.(*Drupal).lookupAdminConfigSystemSiteinformationPage
rex/scanner.(*Drupal).SetFrontpage
rex/scanner.(*Drupal).lookupAdminContentPage
rex/scanner.(*Drupal).DeleteAllContent
rex/scanner.(*Drupal).EnableModule
rex/scanner.(*Drupal).lookupFilterAdminFormatForm
rex/scanner.(*Drupal).ContentFormatAddOrUpdate
rex/scanner.(*Drupal).ContentFormatAdd
rex/scanner.(*Drupal).ContentFormatUpdate
rex/scanner.(*Drupal).lookupNodeAddPage
rex/scanner.(*Drupal).PostBasicPage
rex/scanner.(*Drupal).EnablePreview
rex/scanner.(*Drupal).StructureTypeAdd
rex/scanner.(*Drupal).StructureTypeUpdate
rex/scanner.(*Drupal).SetDefaultTheme
rex/scanner.(*Drupal).DoBatch
rex/scanner.(*Drupal).CompleteBatch
rex/scanner.(*Drupal).getMetaRefresh
rex/scanner.(*Drupal).ExecSQL
rex/scanner.(*Drupal).ExecPHP
rex/scanner.NewDrupalHash
rex/scanner.(*DrupalHash).Hash
rex/scanner.(*DrupalHash).rehash
rex/scanner.(*DrupalHash).passwordCrypt
rex/scanner.(*DrupalHash).passwordCountLog2
rex/scanner.(*DrupalHash).custom64
rex/scanner.NewExagridScanner
rex/scanner.(*exagrid).Scan
rex/scanner.FormParseNode
rex/scanner.(*Form).Get
rex/scanner.(*Form).Set
rex/scanner.(*Form).UrlValues
rex/scanner.(*Form).Body
rex/scanner.(*formValue).Disabled
rex/scanner.(*formValue).SetDisabled
rex/scanner.(*formValue).Name
rex/scanner.(*formValue).SetName
rex/scanner.(*formValue).Value
rex/scanner.(*formValue).SetValue
rex/scanner.(*formValue).IsPosted
rex/scanner.(*FormSelect).IsPosted
rex/scanner.(*formValueChecked).Checked
rex/scanner.(*formValueChecked).SetChecked
rex/scanner.(*formValueChecked).IsPosted
rex/scanner.(*FormFile).Filename
rex/scanner.NewHTTP
rex/scanner.(*TransportHTTPSVerify).RoundTrip
rex/scanner.(*HTTP).NewRequest
rex/scanner.(*HTTP).Do
rex/scanner.(*HTTP).Get
rex/scanner.RandomUserAgent
rex/scanner.NewHttpScanner
rex/scanner.(*HttpScanner).AddScanner
rex/scanner.(*HttpScanner).Scan
rex/scanner.(*HttpScanner).SetPayloadFn
rex/scanner.(*HttpScanner).Payload
rex/scanner.(*HttpScanner).Dial
rex/scanner.(*HttpScanner).isHTTP
rex/scanner.(*HttpScanner).isHTTPS
rex/scanner.isConnHTTP
rex/scanner.NewJetspeedModule
rex/scanner.(*Jetspeed).Validate
rex/scanner.(*Jetspeed).Scan
rex/scanner.NewKernerScanner
rex/scanner.(*kerner).exec
rex/scanner.(*kerner).Scan
rex/scanner.(*PHP).Scan
rex/scanner.(*PHP).Exec
rex/scanner.(*PHP).Upload
rex/scanner.(*PHP).uploadPHP
rex/scanner.(*PHP).uploadNC
rex/scanner.(*PHP).upload
rex/scanner.(*PHP).fileWriteAt
rex/scanner.(*PHP).Chmod
rex/scanner.randString
rex/scanner.NewRansomScanner
rex/scanner.(*RansomScanner).Scan
rex/scanner.(*RansomScanner).doScan
rex/scanner.(*RansomScanner).makeNote
rex/scanner.(*RansomScanner).lookupContacts
rex/scanner.(*RansomScanner).extractMailto
rex/scanner.(*RansomScanner).lookupMX
rex/scanner.(*RansomScanner).mailNote
rex/scanner.(*ConnClient).call
rex/scanner.(*ConnClient).Ping
rex/scanner.(*ConnClient).SetBinary
rex/scanner.init.1
rex/scanner.(*Service).Ping
rex/scanner.init.2
rex/scanner.(*Service).SetBinary
rex/scanner.(*SSHScanner).isSSH
rex/scanner.(*SSHScanner).Scan
rex/scanner.NewSequentialStrategy
rex/scanner.(*SequentialStrategy).NextTarget
rex/scanner.NewRandomStrategy
rex/scanner.(*RandomStrategy).NextTarget
rex/scanner.init.3
rex/scanner.(*Target).String
rex/scanner.(*Target).HostPort
rex/scanner.(*Target).Addr
rex/scanner.(*Target).BaseURL
rex/scanner.(*Target).URL
rex/scanner.NewWordpressModule
rex/scanner.(*Wordpress).Validate
rex/scanner.(*Wordpress).validateGenerator
rex/scanner.(*Wordpress).validateReadme
rex/scanner.(*Wordpress).PageStyles
rex/scanner.(*Wordpress).Scan
rex/scanner.(*Wordpress).uploadWPUF
rex/scanner.(*WoocommerceProductOptions).ExecPHP
rex/scanner.(*WordpressRevslider).ExecPHP
rex/scanner.(*Wordpress).scanRoboGallery
rex/scanner.Run.func1
rex/scanner.Run.func2
rex/scanner.Run.func3
rex/scanner.Run.func4
rex/scanner.worker1.func1
rex/scanner.(*ConnScanner).Payload-fm
rex/scanner.(Dialer).Dial-fm
rex/scanner.NewHTTP.func1
rex/scanner.(*PHP).Upload.func1
rex/scanner.(*PHP).Upload.func2
rex/scanner.(*PHP).(rex/scanner.uploadPHP)-fm
rex/scanner.(*PHP).(rex/scanner.upload)-fm
rex/scanner.(*SSHScanner).isSSH.func1
rex/scanner.(*SSHScanner).isSSH.func2
rex/scanner.(*SSHScanner).Scan.func1
rex/scanner.(*SSHScanner).Scan.func2
rex/scanner.init
It seems that this payload is the missing piece in the jigsaw puzzle of "Armada Collective" fake DDoS Ransom :)
After Drupal infection, they upload some mailer and some webshell in sites/default/files/
Mailer ex:
Code: Select all
webshell (pwd:Mehdi123):
http://www.c1entertainment.com/sites/default/files/InboxMailerMgad.php
http://www.c1entertainment.com/sites/default/files/Mailer.php
Code: Select all
http://www.c1entertainment.com/sites/default/files/MehdiAbenhazou.php
Attachments
infected
(2.62 MiB) Downloaded 106 times
(2.62 MiB) Downloaded 106 times
